HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Study Explores How Medical Apps are Sending Health Data to Facebook and Others

Sensitive information is being shared with data brokers and advertisers for the purpose of serving targeted advertisements, and not just by health apps and fitness trackers. HIPAA-covered entities are also sharing the health data without patient consent, which puts them at risk of regulatory fines and lawsuits.

Many consumer health apps collect sensitive health data, including pregnancy and fertility trackers and personal fitness and exercise apps. These apps are fed data or directly collect that information through associated wearable devices, and that information may be shared with third parties or sold, as per the terms and conditions for use of the apps. If users do not wish to share their data, they can simply not use the apps.

However, there is growing concern over the sharing of identifiable health data by healthcare organizations covered by the Health Insurance Portability and Accountability Act, which places restrictions on uses and disclosures of identifiable protected health information. Many hospitals have recently been discovered to have used the Meta Pixel JavaScript code on their websites for tracking visitor activity and evaluating the effectiveness of their Facebook marketing campaigns. In some cases, the code has been included on pages within patient portals, and health information has been transferred to Meta without consent and used by Facebook advertisers to serve targeted, personalized advertisements. At least two lawsuits have been filed against healthcare providers over the privacy violations, and Novant Health has recently issued notifications to more than 1.3 million patients whose privacy was violated.

Study Explores How Medical Apps Share Healthcare Data with Social Media Networks

A recent study has explored how medical apps have been sharing sensitive health data. The researchers selected medical apps that were commonly used by patients that engaged with social media websites, including Facebook, to find information related to their medical condition. The study focused on five digital medicine companies and evaluated 32 different cross-site-tracking middleware types that used cookies to track individuals across the Internet and shared their browsing data with Facebook for purposes of advertising and lead generation. Specifically, the researchers focused on companies that were offering services to patient advocates in the cancer care community who were active users of social media sites.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Patients often use social media websites to get support from their peers, with Facebook being one of the most popular. Facebook is awash with adverts related to health conditions. According to the researchers, health and pharmaceutical companies spent more than 1 billion on advertising on Facebook mobile advertising alone in 2019. The health information revealed by patients to social media sites exposes them to these adverts and allows health and pharmaceutical companies to target very specific patient populations. The focus on the cancer community was because those patients were perceived to be vulnerable to online scams, medical misinformation, and privacy breaches through the use of cross-site-tracking middleware. The researchers focused their study on Facebook’s ad model, although the findings may well apply to other social media platforms.

How Patients Are Tracked and Served Targeted Advertisements

In a typical scenario, a cancer patient signs up to use a digital medicine or genetic testing app and agrees to the terms and conditions. The patient has or signs up for a Facebook account in a separate process. Vendors embed third-party tracking code on websites that share off-Facebook activity without a user’s consent.

The off-Facebook activity from the vendor is used to update ad interests algorithms on Facebook. Facebook’s algorithms then promote health-related ads based on the users’ health interests. Vendors can target ads to users with specific health interests, and may also attempt to enrich data through forms and quizzes, with the lead data passed from Facebook to the vendor’s CRM system.

Privacy Policies and Data Sharing Practices Differ

While digital medicine or genetic testing apps have privacy policies that explain how data is collected and used, in some cases the privacy policies do not match the actual data sharing practices. All five of the apps had privacy policies, but three said health data would not be shared with advertisers when information was being shared.

All five apps are potentially covered by the Federal Trade Commission’s Health Breach Notification Rule, and two of the app providers were CLIA-certified labs that offer clinical genetic and diagnostic tests, and are therefore bound by HIPAA. In some cases, users were being tracked and data was being shared even though consent has not been obtained, and in some cases, users were told that their health information would not be shared with Facebook or others.

A spokesperson for Meta said that health information should not be shared with the platform and that it has filters in place that can detect and remove health data to prevent it from being shared with advertisers; however, the filter does not detect all health data. The researchers point out that Facebook announced in November 2021 that the platform would be removing all detailed ad-targeting endpoints for sensitive health information.”

The researchers suggest that the practice of tracking users and sharing their data with Facebook (and potentially other social media networks) could violate federal and industry regulations, especially the FTC’s Health Data Breach Notification Rule and potentially HIPAA. They also point out that since the introduction of the Health Data Breach Notification Rule, there has been no enforcement.

“We demonstrated that personal data and personal health data can be easily obtained without the aid of highly sophisticated cyberattack techniques but with rather commonplace third-party advertising tools,” said the researchers. While the study did not confirm any intentional deception of individuals, it was also not clear the extent to which these companies were aware that user health data is being monitored and fed to Facebook for the purposes of serving targeted advertisements.

“These marketing tools reveal a dark pattern used to track vulnerable patient journeys across platforms as they browse online, in some ways unclear to the companies and patient populations who are engaging through Facebook,” concluded the researchers. “While the digital medicine ecosystem relies on social media to recruit and build their businesses through advertising-related marketing channels, these practices sometimes contradict their own stated privacy policies and promises to users.”

The study – Health advertising on Facebook: Privacy and policy considerations – was published in the journal Patterns on August 15, 2022.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.